Daniel Veillard <veillard@redhat.com> wrote
on 04/07/2010 03:55:19 AM:
> On Tue, Apr 06, 2010 at 03:55:26PM -0400, Stefan Berger wrote:
> > The attached patch fixes a problem due to the mac match in iptables
only
> > supporting --mac-source and no --mac-destination, thus it not
being
> > symmetric. Therefore a rule like this one
> >
> > <rule action='drop' direction='out'>
> > <all match='no' srcmacaddr='$MAC'/>
> > </rule>
> >
> > should only have the MAC match on traffic leaving the VM and
not test
> > for the same source MAC address on traffic that the VM receives.
> >
> > Signed-off-by: Stefan Berger <stefanb@us.ibm.com>
> >
>
> Okay, I had to check _iptablesCreateRuleInstance() source to
find out
> it's a giant switch, then patch makes sense, looks low risk and well
> contained,
>
> ACK,
>
Thanks. Pushed.
Stefan
> Daniel
>
> --
> Daniel Veillard | libxml Gnome XML XSLT toolkit
http://xmlsoft.org/
> daniel@veillard.com | Rpmfind RPM search engine http://rpmfind.net/
> http://veillard.com/
| virtualization library http://libvirt.org/